New SOHO Router Security Audit Uncovers Over 60 Flaws In 22 Models

Home and small-office routers have become a hotbed for security research lately, with vulnerabilities and poor security practices becoming the rule, rather than the exception. A new security audit by researchers from Universidad Europea de Madrid only adds to that list, finding 60 distinct flaws in 22 different device models. They posted details of their research on the Full Disclosure mailing list, and the affected brands include D-Link, Belkin, Linksys, Huawei, and others. Many of the models they examined had been distributed to internet customers across Spain by their ISPs. About half of the flaws involve Cross Site Scripting and Cross Site Request Forgery capabilities, though there is at least one backdoor with a hard-coded password. Several routers allow external attackers to delete files on USB storage devices, and others facilitate DDoS attacks.

They are missing a few.

Netgear has some major security flaws they they've refused to address for a long time. Mainly direct remote access. I'm not sure if this is by design via the NSA or because they are horrifically lazy, but I stopped caring what they thought and installed Linux on my router. Openwrt and dd-wrt work better than the original in most cases, except in the realm of tx power modification. That seems to have sucked since people started frying their antenna's and the dev's stopped pursuing it.

"Video Bytes"?

Fuck off with these horseshit "features" that nobody wants.

OK

[koan]

Most of you /.'ers that have read my comments know that I like to dis Apple, can't stand the fucking fanbois, but I have yet to see the Airport listed in any of these articles.
If you have point it out to me, it seems they are fairly sound devices.

Re:OK

[iMouse]

...right out of the AirPort Extreme manual?

To set up your AirPort Extreme using a Mac, you need the following:
A Mac computer with an AirPort or AirPort Extreme Card installed to set it up wirelessly, or a Mac computer connected to an AirPort Extreme Base Station with an Ethernet cable to set it up using Ethernet

To set up your AirPort Extreme using a Windows PC, you need the following:
A Windows PC with 300 MHz or higher processor speed and a compatible 802.11a, 802.11b, 802.11g, or 802.11n wireless card to set it up wirelessly, or a Windows computer connected to an AirPort Extreme Base Station with an Ethernet cable to set it up using Ethernet

I own several AirPort Extreme/Express devices...range and performance are just as good as other premium consumer-brand routers and access points. I have several Extremes sitting in an 802.1x environment...rock solid reliability and performance. If I had one complaint, it would be that the radio is a bit noisy...in a quiet room, you can often hear a tinny squeal when under load.

Re:OK

[NoMaster]

Oh, they've had a few (Secunia's down for me at the moment, but there's a reasonably up-to-date list here), so they're not perfect - but yes, they seem on the whole to have their act together.

Sure, they're not as configurable as a cheap Linksys (although they can be pushed to do anything you'd reasonably* expect a home/SOHO router to do), you can't shoehorn Linux onto them, and the lack of a CLI or web interface (a OSX / Win only config utility) is shitty - but they're solid, robust, & pretty secure devices which are almost perfect for the average home or SOHO user.

Oh, and the AC who said "Cannot configure them via a wired port, only wireless (wtf?)" is either a troll or an idiot...

(* running a server, packet inspection, or doing heavily customised routing is not a reasonable expectation for a home/SOHO router - that sort of thing belongs on a separate machine that doesn't have one testicle dangling out on the WAN...)

Minimum standards

[Peter+H.S.]

Really, there ought to be some sensible minimum standards for commercial products that can be connected to the internet. This could include that the company had a decent policy for security fixes and a published contact point for people reporting such problems.

And how about a pre-published, minimum security support length, so that people buying a smartphone/router/etc. will know in advance how many years it will be supported with security fixes. There are "use by" dates on food, why not on all internet connected devices.

Re:Only? wait for IOT

[Chewy509]

Due to the number of growing exploits against SOHO routers, SmartTVs, UEFI firmware, etc... we at work now tend to refer to IoT as BoT... aka Internet of Things == BotNet of Things...

And it's a simple case of not if, but when this will happen...

Re:Yeah, but can you stop the NSA

[aXis100]

Linux "just running iptables" is perfectly secure.

In general you cant just hack firewall software directly. What you do is find a protocol that is allowed through the firewall and then exploit some vulnerability on that protocol. Examples would be default passwords or SQL injection in a web management interface, buffer overflows in a DNS response, weak encryption in a VPN etc.

Re:Only concerns ISP-specific models

[gstoddart]

So, in other words, these models were specifically made for and distributed by an ISP, and were not off-the-shelf models. The backdoors were there for the ISP managers.

Well, I trust my ISPs router ... well, not at all, actually.

Because I assume my ISP is either incompetent or dishonest, I don't really care which, I simply don't trust them. And I sure as fuck don't trust them with access to my actual network. I want a layer of security between me and their shit, because I assume their stuff is trivially hacked.

My wife and I each have our offices set up where our own router is getting DHCP from the ISPs router, and then firewalling everything from it. We each have our own locked down wifi, and entirely separate networks. I'm pondering a third router to provide the guest wifi.

Other than disabling the ISPs wifi and using our own, I wouldn't even know the SSID or the password for the ISPs crap. I assume they haven't turned it on without asking, but I never check -- come to think of it, I'd have to find out how.

My parents and my in-laws have routers we've bought them to sit behind the crap the ISP provides. Because I know for a fact that in both cases the ISP provides a router with default wifi SSID and passwords which are published in the docs they give you.

Because it's printed in the "how to" for every damned subscriber, and you can't change it, you can pretty much imagine that if you find an SSID of the right name you can connect to it, and probably have management access to it.

For 99% of network users out there, these vulnerabilities are of no practical concern.

But the problem is so many households trust that the wide open, back doored, well known remote-admin credentialed, shitty routers they've been provided with give them any form of security.

Which means for the overwhelming majority of home users who aren't tech savvy and paranoid, these vulnerabilities are absolutely of practical concern ... because their PCs are directly plugged into the ISPs router, or they're using wifi from the ISPs router.

I'm betting a lot of home users figure they have the router from the ISP, so they don't need anything else.

That these are ISP models doesn't diminish the number of people who could be impacted ... it greatly magnifies it. Because most people who don't know better (and a few who do) connect their PC directly to the ISPs router.

Honestly, go talk to a random neighbor .. see if they have anything between them and their ISPs router. My best is they don't.